Cloudwatch logs encryption

Cloudwatch logs encryption DEFAULT

Collect Logs from Amazon S3 Buckets with KMS Encryption

USM Anywhere™

If you are using a key management service (KMS) key to encrypt the Amazon S3 buckets where your logs are stored, you need to perform the following steps to enable your USM Anywhere Sensor to decrypt those buckets.

Note: To do this, you first need to know the bucket that is encrypted, the KMS key used for the encryption, and the Identity and Access Management (IAM) role created for your sensor.

To enable your sensor to decrypt KMS-encrypted buckets

  1. Log in to the AWS Management Console and navigate to the Key Management Service (KMS) page.
  2. Open the Customer Managed Keys page and locate the KMS key you are using.
  3. Scroll down to the Key Users section.
  4. Click Add.
  5. Use the list or the search bar to select the IAM role created for your sensor.

    Enable your USM Anywhere Sensor to decrypt buckets encrypted with AWS's Key Management Service.

  6. Click Add.
Sours: https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/aws/kms-encrypted-logs.htm

Data protection in Amazon CloudWatch Logs

The AWS shared responsibility model applies to data protection in Amazon CloudWatch Logs. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the Data Privacy FAQ. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.

  • Set up API and user activity logging with AWS CloudTrail.

  • Use AWS encryption solutions, along with all default security controls within AWS services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

  • If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form fields such as a Name field. This includes when you work with CloudWatch Logs or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

Encryption at rest

CloudWatch Logs protects data at rest using encryption. All log groups are encrypted. By default, the CloudWatch Logs service manages the server-side encryption keys.

If you want to manage the keys used for encrypting and decrypting your logs, use customer master keys (CMK) from AWS Key Management Service. For more information, see Encrypt log data in CloudWatch Logs using AWS Key Management Service.

Encryption in transit

CloudWatch Logs uses end-to-end encryption of data in transit. The CloudWatch Logs service manages the server-side encryption keys.

Sours: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/data-protection.html
  1. Craig tracy for sale
  2. Onx topo map
  3. Fathers of mercy catalog

Encrypt log data in CloudWatch Logs using AWS Key Management Service

Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS customer managed key. Encryption using AWS KMS is enabled at the log group level, by associating a key with a log group, either when you create the log group or after it exists.

Important

CloudWatch Logs now supports encryption context, using as the key and the ARN of the log group as the value for that key. If you have log groups that you have already encrypted with a customer managed key, and you would like to restrict the key to be used with a single account and log group, you should assign a new customer managed key that includes a condition in the IAM policy. For more information, see AWS KMS keys and encryption context.

After you associate a customer managed key with a log group, all newly ingested data for the log group is encrypted using this key. This data is stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data whenever it is requested. CloudWatch Logs must have permissions for the customer managed key whenever encrypted data is requested.

After you disassociate a customer managed key from a log group, CloudWatch Logs encrypts newly ingested data using the CloudWatch Logs default encryption method. All previously ingested data that was encrypted with the customer managed key remains encrypted with that key.

Important

CloudWatch Logs supports only symmetric customer managed keys. Do not use an asymmetric key to encrypt the data in your log groups. For more information, see Using Symmetric and Asymmetric Keys.

Limits

  • To perform the following steps, you must have the following permissions: , , and .

  • After you associate or disassociate a key from a log group, it can take up to five minutes for the operation to take effect.

  • If you revoke CloudWatch Logs access to an associated key or delete an associated customer managed key, your encrypted data in CloudWatch Logs can no longer be retrieved.

  • You cannot associate a customer managed key with a log group using the CloudWatch console.

Step 1: Create an AWS KMS customer managed key

To create an AWS KMS customer managed key, use the following create-key command:

The output contains the key ID and Amazon Resource Name (ARN) of the key. The following is example output:

Step 2: Set permissions on the customer managed key

By default, all AWS KMS customer managed keys are private. Only the resource owner can use it to encrypt and decrypt data. However, the resource owner can grant permissions to access the key to other users and resources. With this step, you give the CloudWatch service principal permission to use the key. This service principal must be in the same AWS Region where the key is stored.

As a best practice, we recommend that you restrict the use of the key to only those AWS accounts or log groups you specify.

First, save the default policy for your customer managed key as using the following get-key-policy command:

Open the file in a text editor and add the section in bold from one of the following statements. Separate the existing statement from the new statement with a comma. These statements use sections to enhance the security of the AWS KMS key. For more information, see AWS KMS keys and encryption context.

The section in this example restricts the key to a single log group ARN.

The section in this example limits the use of the AWS KMS key to the specified account, but it can be used for any log group.

Finally, add the updated policy using the following put-key-policy command:

Step 3: Associate a log group with a customer managed key

You can associate a customer managed key with a log group when you create it or after it exists.

To find whether a log group already has a customer managed key associated, use the following describe-log-groups command:

If the output includes a field, the log group is associated with the key displayed for the value of that field.

To associate the customer managed key with a log group when you create it

Use the create-log-group command as follows:

To associate the customer managed key with an existing log group

Use the associate-kms-key command as follows:

Step 4: Disassociate a log group from a CMK

To disassociate the customer managed key associated with a log group, use the following disassociate-kms-key command:

AWS KMS keys and encryption context

To enhance the security of your AWS Key Management Service keys and your encrypted log groups, CloudWatch Logs now puts log group ARNs as part of the encryption context used to encrypt your log data. Encryption context is a set of key-value pairs that are used as additional authenticated data. The encryption context enables you to use IAM policy conditions to limit access to your AWS KMS key by AWS account and log group. For more information, see Encryption context and IAM JSON Policy Elements: Condition.

We recommend that you use different customer managed keys for each of your encrypted log groups.

If you have a log group that you encrypted previously and now want to change the log group to use a new customer managed key that works only for that log group, follow these steps.

To convert an encrypted log group to use a customer managed key with a policy limiting it to that log group

  1. Enter the following command to find the ARN of the log group's current key:

    The output includes the following line. Make a note of the ARN. You need to use it in step 7.

  2. Enter the following command to create a new customer managed key:

  3. Enter the following command to save the new key's policy to a file:

  4. Use a text editor to open and add a expression to the policy:

  5. Enter the following command to add the updated policy to the new customer managed key:

  6. Enter the following command to associate the policy with your log group:

    CloudWatch Logs now encrypts all new data using the new key.

  7. Next, revoke all permissions except from the old key. First, enter the following command to retrieve the old policy:

  8. Use a text editor to open and remove all values from the list, except for

  9. Enter the following command to add the updated policy to the old key:

Document Conventions

Search log data using filter patterns

Creating metrics from log events using filters

Sours: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
Como monitorar arquivos de logs com AWS CloudWatch ?

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

VPC Security ControlsEC2 Security ControlsIAM Security ControlsS3 Security ControlsRDS Security ControlsOpenSearch/Elasticsearch Security ControlsEFS Security ControlsRoute53 Security ControlsDynamoDB Security ControlsEMR SecurityLambda SecurityCloudFormation SecurityLogging & Monitoring ConfigurationsBackups & DRBilling and Cost Management

Custom VPC TemplateAWS Logging ServicesAWS Threat Detection ServicesSecurity Monitoring and ComplianceAWS Auto Remediation Rule PackageEC2 Patch ManagementCommon SCP PackagePCI DSS Compliance Monitoring with Security HubCIS AWS Benchmark Monitoring PackageCanada GC Cloud Guardrails

AWS Account Setup GuideEC2 Security StrategyS3 Security StrategyLogging & Monitoring Strategy Guide

Open Source ToolsOpen Source Solutions

Sours: https://asecure.cloud/a/cfgrule_cloudwatch-log-group-encrypted/

Encryption cloudwatch logs

CloudWatch Logs Encryption Mode

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

To meet security and compliance requirements, it is strongly recommended to implement encryption at rest when publishing AWS Glue logs to Amazon CloudWatch.


01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the navigation panel, under Security, choose Security configurations.

04 Select the security configuration that you want to examine, then click on the resource name to access its configuration details page.

05 On the security configuration details page, check the CloudWatch logs encryption mode attribute value. If the configuration attribute value is DISABLED, the selected security configuration is not compliant, therefore Amazon Glue logs are not encrypted once these are published to AWS CloudWatch Logs.

06 Repeat step no. 4 and 5 to verify other Amazon Glue security configurations created in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

01 Run get-security-configurations command (OSX/Linux/UNIX) to retrieve the names of all AWS Glue security configurations created within the selected AWS region – in this case the US East (N. Virginia) region:

aws glue get-security-configurations --region us-east-1 --output table --query 'SecurityConfigurations[*].Name'

02 The command output should return a table with security configuration names:

------------------------------- | GetSecurityConfigurations | +-----------------------------+ | cc-security-configuration | | cc-glue-new-config-file | +-----------------------------+

03 Execute get-security-configuration command (OSX/Linux/UNIX) using the name of the AWS Glue security configuration that you want to examine as identifier and custom query filters to expose the AWS CloudWatch Logs encryption mode status:

aws glue get-security-configuration --name cc-security-configuration --region us-east-1 --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode'

04 The command output should return the request information (i.e. encryption mode status):


If get-security-configurationcommand output returns "DISABLED", as shown in the example above, the selected security configuration is not compliant, therefore Amazon Glue logs are not encrypted after these are published to AWS CloudWatch Logs.

05 Repeat step no. 3 and 4 to check other Amazon Glue security configurations available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Security, choose Security configurations.

04 Click Add security configuration to initiate the setup process.

05 On Add security configuration page, perform the following:

  1. Enter a unique name for your new configuration within Security configuration name box.
  2. Select CloudWatch logs encryption checkbox to enable at-rest encryption when writing logs to AWS CloudWatch, then choose the ARN of the AWS KMS key that you want to use for encryption from AWS KMS key dropdown list.
  3. Make sure that S3 encryption and Job bookmark encryption are enabled within the configuration file, then click Finish to create the new AWS Glue security configuration.

06 Reconfigure (update) your existing Amazon Glue crawlers, jobs and development endpoints to make use of the new security configuration created at the previous step.

07 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for AWS Glue Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Define your new AWS Glue security configuration parameters and save the document to a JSON file named sec-config-logs-encrypted.json. Replace "KmsKeyArn" parameter value with the Amazon Resource Name (ARN) of your own AWS KMS key:

{ "CloudWatchEncryption": { "CloudWatchEncryptionMode": "SSE-KMS", "KmsKeyArn": "arn:aws:kms:us-east-1:1234567890:key/abcdabcd-1234-abcd-1234-abcdabcdabcd" }, "S3Encryption": [ { "S3EncryptionMode": "DISABLED" } ], "JobBookmarksEncryption": { "JobBookmarksEncryptionMode": "DISABLED" } }

02 Run create-security-configuration command (OSX/Linux/UNIX) using the sec-config-logs-encrypted.json file defined at the previous step as command parameter to create a new Amazon Glue security configuration that has AWS CloudWatch Logs encryption mode enabled:

aws glue create-security-configuration --region us-east-1 --name cc-new-sec-configuration --encryption-configuration file://sec-config-logs-encrypted.json

03 The command output should return the command request metadata:

{ "CreatedTimestamp": 1548331153.265, "Name": "cc-new-sec-configuration" }

04 Now you can update your existing Amazon Glue crawlers, jobs and development endpoints configuration to make use of the new security configuration created at the previous steps.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the remediation/resolution process for other regions.

Publication date Jan 17, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for and

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

CloudWatch Logs Encryption Mode

Risk level: Medium


Whether your cloud exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Conformity offers full visibility into your overall security and governance posture across various standards and frameworks.

Continuous security & compliance for cloud environments. Grow and scale your business with confidence

Sours: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html
AWS Webinars NPO Series - Monitoração na AWS utilizando CloudWatch Logs e ELK

KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager

I tried to replicate your issue.

My session manger settings:

enter image description here

The CloudWatch log group has been encrypted using CLI:

After launching the session manger I can get confirmation that it is encrypted:

enter image description here

Based on this verification, the only thing required to make it work was setting KMS key policies. I added the following to my KMS ( is instance role, the other entries should be self-explenatory):

answered Jul 1 '20 at 5:28

MarcinMarcin

134k88 gold badges102102 silver badges157157 bronze badges

Sours: https://stackoverflow.com/questions/62669923/kms-permissions-for-encrypted-cloudwatch-loggroups-with-aws-systems-session-mana

Now discussing:

.



12 13 14 15 16